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TRACEABLE ANONYMOUS TRANSACTIONS 

TECHNICAL FIELD 

The present invoition relates generally to secure transactions and, more 
particularly, to techniques for anonymous, yet traceable, transmission and 

5 recq»tion of messages. 

BACKGROUND OF THE INVENTION 

A known protocol of Chaum (Communications of the ACM, Febniary 
1981, Volume 24 at 84-88) describes untraceable electronic mail wherein 
electronic messages are delivered to recipients but the identity of the sender is kept 

10 anonymous. Anonymity can be sought with respect to different parties. For 

instance, when employers elicit "truthful" opinions from their employees, senders 
may desire not to be identified by their recipients. In some other cases, a sender 
and a recipient may even know each other's identity (e.g., they may actually 
exchange signed messages), but wish that other parties arc incapable of learning 

15 that they are the sender and the receiver of a given message or sequence of 

messages. For instance, because they want to hide the existence of a business 
negotiation between them, anonymity is an important privacy enhancement of any 
mail system, and can be very valuable to the smooth flow of business and other 
human interactions. 

20 Untraceability, howevw, is not always desirable. For instance, an 

anonymous electronic mail system may be misused with impunity for sending 
threats to the users of a computer networic. As antrther example, in a 
communication network that guarantees the untraceabiUty of senders, the 
distribution of illegal material may thrive essentially unchecked. For instance, 

25 there is a growing concern that the Internet may be misused for the improper 
distribution of pornography (e.g., to minors). Hie speed and convenience of 
computer networics could also be very attractive for sending inside-trading 
information or any other kind of illegitimate information. Such networks already 
provide encryption facilities, which make it easier to hide illegal data, and the 

30 presence of an anonymous mail system may provide yet one more layer of 
protection for iUegal activities. Indeed, even if law enforcement succeeds in 
obtaining the cleartext of such data (e.g., via the cooperation of its recipient), 
tracing its sender may still prove quite hard. 
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Thus, though anonymous mail has its own advantages and legitimate 
applications, reputable service providers of major communication netwwks may 
shy away from offering untraceable services, because of their associated liabilities 
or because they do not wish to be instrumental to any illegal or improper activity. 
5 BRIEF SUMMARY OF THE INVENTION 

It is a primary object of the present invention to describe a communications 
system wherein messages are sent and received in an anonymous, yet traceable 
manner. 

It is a further object of the invention to describe techniques for 
10 implementing various types of anonymous transactions using one or more trustees 

that have the capability of determining the idratity of a sender or a recipient. 
It is another object of the invention to facilitate secure communications 

between an anonymous senda* and a recipient wherein a reply to a message is 

linked to the message and is traceable to it. 
IS It is still another object of the invention to facilitate such secure 

communications wherein the identity of the original recipient of a message remains 

anonymous yet the recipient's reply to the message is guaranteed to be traceable to 

the message. 

Another object of the invention is to establish and nuuntain an anonymous 
20 communications channel between an original sender and recipient during a 

communications session and wherein at least one of the parties does not know the 
identity of the other party, 

A still further object is to provide such an anonymous communioitions 
channel with at least one, preferably two, and possibly more trustees forming a 
25 direct connection path between the original srader and recipient such that 
communications travel back and forth through the various parties. 

According to yet another object, an anonymous communications channel is 
maintained between an original sender and recipient, wherein at least one of the 
parties does not know the identity of the other party, and wherein the identity of 
30 either or both parties is traceable under certain circumstances through an "audit" 
procedure. 
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In the preferred embodiment, the invention provides so-caUed Traceable 
Anonymous Transactions (TAT systems, for short). These are message- 
transmission systems that 

• guarantee sender-recipient anonymity, and, at the same time, 
5 • guarantee that this anonymity be taken away under proper 

circumstances, i.e., that the message can be traced to the proper 
sender and/or iqplies can be traced to the messages that triggered 
them. 

The process of tracing sender and/or receiver information is conveniently 

10 referred to as an audit. This invention focuses on the mechanisms necessary for 
providing "traceable anonymity." ^topriate conditions under which tracing 
occurs is quite varied, depending on the particular circumstances of the 
communications bang carried out. In a public communication network, die rules 
that determine whether sender/recipients should be traced preferably will be 

15 stricter than in the case of a private network (or in the case in which the facilities 
of a private provider have been used, at least in part, to deliver the message in an 
otherwise public network). 

Among other applications, TAT systems oiable service providers (in 
networks, such as the Internet) to offer anonymous mail services without incurring 

20 the risk, responsibility, and liability of boosting criminal or impn^r operations. 

Indeed, even if an anonymous mail system is put in place for the purpose of hiding 
sender-recdver information with respect to other parties (e.g., like in a business 
n^otiation), the danger exists tiiat it can tiien be misused (e.g., by senders to 
harass some recipients). 

25 Anonymous, but traceable, mail systems can also be used for a variety of 

other ^licaticms. Indeed, when submitting a written exam, examiners may wish 
to remain anOTymous to thdr examiners, until all grades are given, when it may 
be desired that all senders may be correcUy matched with thdr hand solutions. 
Here, tiierefoie, is an example in which anonynuty and traceability are needed in 

30 any single instance, and not just if sometiiing improper occurs. In this case, 

tiierefore, die proper condition for tracing sender information is just the passage of 
a given amount of time, or having completed some action (such as die grading). 
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A similar case may occur during a (possibly electronic) auction, where 
bidders may wish to remain anonymous until the goods have been adjudicated, in 
which case all bidders, or just the winners may be traced. 

This invention preferably relies on the specific collaboration of one or more 
S trustees: preferably, two collaborating but distinct trustees. 

The inventive method preferably splits the specific sender/recipient 
information of a communication between the trustees, so that no single one of 
them knows all its details. It would be undesirable for the trustees to share their 
knowledge in ways other than that indicated by the system, and thus trustees 
10 should be chosen with an ai^ropriate degree of trustworthiness in mind. During a 
proper audit, however, the trustees can (and indeed they should) collaborate so as 
to trace correctly the sender-receiver information of each audited anonymous 
transmission. 

Preferably, the system should ensure that an audit results in correctly 
IS tracing the sender-receiver information of exactly the audited transmission, and 
preferably not that of other transmissions, even those having the same sender. 
Indeed, even if only proper audits will elicit collaboration of the trustees and thus 
succeed in trading the right sender*receiver information^ it may still be possible 
that the prerequisite for auditing a given traceable an<mymous transmission has not 
20 been correctly met, and thus important that the confidentiality of sender-receiver 
information of other transmissions be maintained. 

Preferably too, the trustees should not be required to store anything about a 
transmission, or any significant amount of data about it. Indeed, this may be too 
expensive to do, or it may impose too much responsibility (because, presumably, 
25 the trustees should vouch for the integrity of the data stored about each TAT 
transmission, at least for a reasonable time, and thus store it in very reliable 
ways). In the preferred embodiment, a trustee just stores a few keys, and still is 
Q2cp2b\t to handle audits. 

BRIEF DESCRIPTION OF THE DRAWINC^S 

30 For a more complete understanding of the present invention and the 

advantages thereof, reference should be made to the following Detailed 
Description taken in connection with the accompanying drawing in which: 
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FIGURE 1 illustrates a traceable anonymous communications channel 
wherein there is an original sender, an original recipient and a pair of trustees. 

DETAILED DESCIUPTION OF THE PREFERRED EMBODIMENT 

The original sender and recipient are separated in the simple embodiment 

5 by two trustees, as seen in FIGURE 1. We shall first describe the preferred 

embodiment of the TAT systems where considering first how to make traceable 
the senders of anonymous messages. We shall then describe how to reply in a 
traceable manner to anonymous messages, how to build anonymous channels, and 
how to make traceable relies. 

10 TmPMhlg AqffnymniM Sender 

This embodiment preferably comprises three st^ (a sender's step, a first- 
trustee step, and a second-trustee step, plus an audit procedure). In the sender's 
step, the sender gives the first trustee an encryption, with the first trustee's key, of 
her own signature of (1) her identity, possibly again encrypted with the first- 

15 trustee's key, and (2) an encryption, with the second trustee's key, of (2a) her 
message encrypted with the recipient's key, and (2b) the address/identity of the 
recipient. 

After the sender step, the first trustee can verify the sender's signature, and 
the fact that the agned information consists of (1) the identity of the smder, which 

20 is understandable to it, and (2) the encryption of the message and the recipient's 
identity. Because the second portion is not understandable to it, the first trustee 
does not learn the message nor the ledpiait's identity. But, whether or not the 
first trustee learns the sender's idratity from the mere fact that it had received a 
communication from her, it preferably learns the sender's identity in a way that is 

25 provable to others (i.e., by means of a digital signature) and is unambiguously tied 
to the message in question (indeed, the sender preferably signs a combination of 
her own identity and data identifying her transnussion, such as an encryption of 
her message and of the identity/address of its recipioit). 

In the first trustee step, if the verification of the data received by the sender 

30 is satisfactory, the first trustee gives the second trustee (preferably encrypted with 
the second trustee's key) its own signature of (1) the received (from the sender) 
encryption (with the second trustee's key) of (la) the message (already encrypted 

- 5 - 
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with the recipient's key) and (lb) its recipient idratity, together with (2) the 
received (from the sender) encryption (with the first trustee's key) of the signature 
of the sender. 

After the first trustee stq), the second trustee verifies the signature of the 
S first trustee and determines the recipient's identity. But the second trustee cannot 
verify the sender's encrypted signature^ nor can it determine the sender's identity, 
nor can it understand the sender's message. However, the signature of die first 
trustee signifies that the information recdved by the second trustee includes an 
encrypted version of the sender's signature^ which was properly verified by the 
10 first trustee. 

In the second trustee stq>, the second trustee sends the recipient (preferably 
encrypted with his key) its own signature of (a) the encrypted (with the recipient's 
key) message together with (b) an encryption, with its own key, of the received 
encryption (with the first trustee's key) of the sender's signature, and, preferably, 
15 (c) the received signature of the first trustee (possibly encrypted with the second 
trustee's key). 

The result of these three steps is that the recipient docs not learn the 
sender's identity, but receives both the correct message (in a form that is 
understandable to him), and information that (is not und^standable by him but) is 
20 guaranteed to be sufficient for tracing the sender in case of a proper audit (which, 
for instance, he may request based on the message content). In particular, he 
preferably receives the sender's signature (of the sender's name and her encrypted 
message) encrypted widi the first trustee's key and then further encrypted with the 
seoHid trustee's key. 

25 In case of a proper aitdit, the trustees will cooperate by each removing its 

own encryption layer, thus exposing the sender's signature, which reveals her 
identity in a certified way. That is, not only her identity will become known (to 
the recipient or trustees, or to an authority participating in or coordinating the 
audit), but it will become known (by means of her signature) in a way that is 

30 provable to others (e.g., in court). Moreover, we prefer the sender's identity be 
provably bound to the specific sent message, as it is the case if she signs together 
information identifying her and the message. Having the sender just sign Uie 
message may suffice for the purpose of provably binding the sender to the 
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message. In a typical signature scheme, however, the sender's signature may be 
easUy verified given the sender's public verification key, but a verifier who is just 
given the sender's signature may be at loss as of which verification key to use. 
Indeed, trying all possible verification keys may be quite impractical. (Similar 

5 problems may arise for other types of autheitication techniques.) ExpUcitly 

including the sender's identity avoids these problems. Such identity may however 
be excluded if the authentication techniques used do not give rise to similar 
problems. The identity information, however, may be properly associated with the 
signed message rather than signed togedier with the message. 

10 Notice also that both trustees must cooperate in an audit for tracing the 

sender's identity. Indeed, the sender's signature is successively encrypted with 
both of their keys. Thus, for instance, if no proper audit is in place, and if the 
first trustee happens not to be trustworthy after all, the recipient cannot, in order 
to learn the sender's identity, go to the first trustee to have decrypted the 

15 encryption of the signature of the sender. In fact, this signature is encrypted with 
the secwid trustee's key, and thus the first trustee alone is powerless in 
understanding it. 

If desired, however, (me can use both trustees for providing anonymous 
delivery but require that action of only one trustee for an audit. For instance, the 

20 second trustee may forward to the recipient tiie sender's signature encrypted with 
just a first trustee key (without adding its own encryption layer). In this way, 
only the first trustee need remove its own encryption layer for divulging tiie 
sender's identity. (The encryption of the sender's signatiire may be the original 
one sent by the soider to tfie first trustee or an encryption made by the first tirustee 

25 itself. Indeed, the senda may send its signature to the first trustee without 

encrypting it (e.g., because if he believes that tiie communication line to the first 
trustee is secure enough)). 

Of course, the first trustee can, if malicious, divulge tiie identity of all 
senders it deals with independent of whom tiieir encrypted recipients may be. But 

30 tills is a much less valuable piece of information to a given recipient. Of course, a 
malicious ttustee may prevent the sender from communicating witii tiie recipient 
all togetiier, but tiiis is a totally diffaent sort of problem. 
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It should also be appreciated that, the fact that the trustees collaborate 
during an audit and remove the different encryption layers does not enable a 
malicious recipient to take advantage of an audit in order to find out the identity of 
the sender of another transmission. Indeed, if the audit were granted about a 
S given message, the trustees can ensure thzi their collaboration is restricted to that 
specific message, and the system ensures that a sender of another transmission 
cannot be made to appear as the sender of the transmission at hand, so that if that 
other transmission is audited and the present one is not the sender^s identity of the 
present transmission will remain confidential. 

10 Trucwfrlg AflOHYmffW RgpW?s 

A TAT system may also keq) recipients traceable and anonymous. For 
uistance, senders of some messages addressed to some recipients may be 
themselves new recipients of the replies to these messages. Indeed, a message M 
sent by a sender S to a recipient R may consist of a question or a request and R 

IS may be expected to send something (i.e., a message Af) in response. Thus, S 
becomes the recipient of this response A/', and wishes to keep her anonymity. 
This could be accomplished by having the sender send, together with her original 
message M, an encryption key k and her own return address encrypted with the 
key of the second trustee. Hius R may use the latter ciphertext as item (2b) of a 

20 sender step in which he is the sender M' the message, and the message is 

encrypted with key k. Since the return address of S is part of what she sends R in 
the original sender's step, and since our system allows the traceability of the 
sender, and the association with the sender of whatever she sends (and thus S's 
return address in particular), recipient S is still traceable if so wanted and, of 

25 course, the new sender R is also traceable. We may, however, easily modify the 
system so that only senders are traceable, and not recipient, or vice versa. 

As we have just seen, ignoring traceability issues, recipient R's reply may 
be sent back to the original sendo* S by means of a new smder step (which utilizes 
information previously sent by S to R). Thus, in the preferred embodiment (in 

30 which there are two trustees), in tiie original sender step S transmits information to 
the first trustee, this one to tiie second, and the second to R. During a reply, R 
transmits information to the first trustee, this to die second, and the second to S. 
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Preferably, however, we suggest that replies are routed in a different 
manner; namely, by routing the reply to a message backwards through the same 
communication path used to deliver the message, i.e., by having R transmit 
information to the second trustee, who transmits back to the first trustee, who 

5 transmits back to S. 

For example, and without limitation intended, in a computer network this 
can be accomplished by having both the furst trustee and the second trustee 
remaining in a waiting mode and hold the connection until the reply comes back. 
Thus, when R sends its reply to S, this reply can travel backwards the same path 

10 traveled by S's message and, preferably, using the same connections. (If so 

wanted, at each leg of this path a proper identifier may be added, preferably in a 
secure or authenticated way, so as to be certain to which message does each reply 
correspond). 

Notice that keq>ing the trustee in a waiting mode with a temporarily open 

15 path of communication is quite natural if R is a service provider which S wishes to 
•browse" anonymously, or from which S wishes to obtain a specific service in an 
anonymous manner. Indeed, such an R is geared for prompt response, at least 
signaling that it is unable to provide the requested service. 

In this application, anonymous reply by means of such "backward 

20 traveling" may be preferable for a variety of reasons. First, backward traveling 
may simplify billing. Indeed, the first trustee may easily bill S for handling her 
anonymous message M to R, but R*s reply should be billed to S too, because 
R sent it at S's request. Now, if S sent M to R along a communication path (from 
S to the first trustee, to the sewmd trustee, to R) that is kspi open and traversed 

25 backwaids when R replies to S by sending M\ it is easy to trace replies to 

particular messages. By "tracing" it is not required that the trustee or some other 
external entity understand the content of the message or the rq)ly and have an 
absolute proof that one reply was sent to a particular message. Evct without 
proof, a trustee who "sees" messages going in one direction and replies in the 

30 other is guaranteed that these communications relate to each other. Thus, even 
though these messages and replies may not be understood by the trustees, and at 
least one of S and R may not be known, it is easy even for the trustees to keep 
track of how much time an anonymous communication session between S and R 
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(whomever they may be) has taken. (This is useful because R or the trustees may 
bill on a time basis). Alternatively, it is easy even for the trustees to keep track of 
how many bits have been transmitted in an anonymous communication session 
(indeed, billing may occur on a per-byte basis or in some other predetermined 

5 manner). Alternatively, it is easy even for the trustees to keep track of the mere 
fact that certain replies are traceable to certain messages (indeed, each reply may 
have its own price) and thus may be billed directly or indirectly to the senders of 
those messages. Second, establishing a communication path that is used back and 
forth may simplify other aspects, such as allowing S and R to communicate their 

10 messages back and forth more than one time using the same encryption key (that 
thus becomes a de facto session key)» reducing "hand shakes," etc. 

Backward traveling, however, may still be advantageously approximated by 
establishing session anonymous paths from S to R and from R to S. Indeed, these 
paths may not be identical, but the same path is used for having S send sender- 

15 anonymous messages to R, and for R to send recipi»t-anonymous replies to S. 

Although a multiplicity of trustees may be available, and although each path may 
involve a differ^t set of trustees, each path passes dirough the same trustees in 
the same order each time it is used during an anonymous communication session. 
This allows S (respectively, R) to use the same key for encrypting messages to R 

20 (respectively, S) if so wanted; and guarantees that if message M is sent before 

message m, and it is not lost, then M will arrive before m. Proper identifiers may 
l)e used to ensure that messages belonging to the same anonymous convo^on 
session between the same S and R travel along the same path. Establishing and 
using such fixed anonymous paths will be beneficial for being able to provide 

25 anonymous s^ces. 

Anonymous messages, however, can be traced or ^'linked" to their replies 
without using anonymous channds and backward traveling, or anonymous session 
paths. For instance, a sender may label her initial message to R also by some 
string X (e.g., randomly selected), R may label his rq)ly to this message also by a 

30 string y that is dependent of x by means of some linking function: /(e.g., /may 
be the identity function, in which case, all messages concerning the same session 
may include the same label x, or the function that incremoits by 1, in which case 
the reply may include y = x + 1). The sender's further message to R (within the 

- 10 . 
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same session) may be labeled f(y), and so on. In essence, function/ signals a 
linkage between messages belonging to the same anonymous session (mdeed, it 
may be the function/ that indicates which messages belong to a given session). 
The trustees can be made awaie (in the clear) of such labels without 

5 necessarily divulging the messages to them. Thus, if a trustee helps to deUver an 
encrypted message M labeled "x" and then sees another communication labeled 
f(x), the trustee can trace one communication to the other without necessarily 
knowing what these encrypted messages/replies mean. 

A linking function /may take additional inputs sudi as the time at which a 

10 message is sent, or the length of a message, or both. Alternatively, / may keq> 
track of the TOTAL time or message-length of an anonymous session. For 
instance, if S initiates a session with a service provider R by sending an 
anonymous message M of length L (e.g., consisting of L bits or bytes), then she 
sends M with a label that reflects the value L. When replying to S with a message 

15 M' whose length is L R may send M' with a label that reflects that the total 

current message-length of the session is L + L'. S's further message of length L' 
to R, if any, can be labeled in a way that reflects the total running value of L + 
L' + L", etc. Though S and R may communicate via distinct anonymous session 
paths (or in some other way), one can have a good control of the total length of an 

20 anonymous session. In fact, each of S and R may control that each running total 
is correct, and take proper action (e.g., stopping the session) if it is not. This 
control may be extended also to the trustees if so wanted, without compromising 
the anonymity of the system. For instance, if S always uses the first trustee for 
sending her anonymous messages to R (which certainly is the case if anonymous 

25 channels or session paflis are used), then she can make the indication of the 

running total length understandable by the first trustee, and nothing else may be 
divulged to this trustee. Thus, while preserving aU essential aspects of an 
anonymous system, the first trustee will always be informed of the total length (as 
agreed by S, in absence of any proper action by her) of an anonymous session. A 

30 similar effect can be achieved with respect to time or transmission time rather than 
length. Among other uses, linking functions may be quite effective for billing 
purposes. 
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A Unking function may also be tightly coupled to the content of the 
anonymous messages exchanged. For instance, the label of a message may 
contain an indication of a (preferably one-way) hashing of the message and or 
prior messages. One may also have running total of such bashings, for instance^ 
5 but without limitation, if the (preferably one-way) hashing of the messages sent so 
far is r, then the current message M can have a label that reflects the value T - 
H(T I M), that is, H evaluated on the concatenation of T and M. 

A linking function may also just link a message M with its immediate reply 
M\ even without an anonymous channel or anonymous session paths. 

10 Yartaats 

Many variants and additions are also possible and envisioned by this 
invention. 

Trustees may be "distinct arms" of the same organization, or totally 
separate entities. (Indeed, they need not share any special information that would 
IS be available only within a single company.) If each trustee were individually 
trusted to keep its own data confidential, the possibility that both trustees 
improperly collude should be quite remote. On the other hand, trustees are trusted 
to collaborate, in case of an audit, so as to identify sender- or receiver- 
information. 

20 To realize a TAT system, as noted above one needs not have **direct** 

communication lines between each pair of parties. (Indeed, a TAT system may be 
realized within a broadcasting network, where no direct lines may actually exist 
between users.) For instance, in tiie case of a TAT system realized within a 
computer network, the sender may transmit her required data to the first entity via 

25 some sequence of direct communication lines rath^ than via a single direct 

communication line. In this case, we may distinguish between the (true) smder 
and receiver of a TAT, and the inunediate sender and immediate receiver at the 
opposite ends of a direct communication line. Indeed, it is desired to build TAT 
systems that guarantee traceable anonymity, even if realized witiiin a network of 

30 direct lines where each immediate receiver of a message knows the identity of its 
immediate sender. Indeed, for the true recipient, learning the identity of the true 
sender and tiiat of the immediate sender are two very different things. Further, it 
is desired to guarantee the anonymity of an honest sender in networks where an 
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adversary may monitor all direct communication links, and is thus capable of 
learning the time length, immediate origin, and immediate destination of each 
transmission (and even the actual content of each transmission, if encryption is not 
used). 

5 It is thus desirable to boost the untraceability of the TAT system with 

respect to adversaries capable of such sophisticated traffic analysis. Generally, 
unlike in a traditional communication network, a message traveling to its 
destination in a TAT system is not prefixed with publicly accessible sender- 
receiver information. Rather, the message's journey is preferably brokoi into 

10 three conceptual legs: the first from the sender to the first entity, die second from 
the first entity to the second, and the third from the second entity to the intended 
recipient. Thus, whether or not in each leg an "immediate-sender-receiver" prefix 
is used, each individual heado- does not reveal the "fiiU story;" that is, it does not 
link the true sender to the true recipient. Indeed, if used, the header infOTmation 

15 of a leg need not specify in a pubUdy-understandable way the address information 
of the next leg. 

Nonetheless, a determined and resourcefiil advo-sary may still infer from 
time and length-information relative to message traveUng in a TAT system who is 
its original swider and who is its final recipient. To this «id, in many 
20 communication networks, it is preferable that the two entities (possibly in 

cooperation witfj the users) also implement a Trt^c Decoupling Phase. TDP for 
short, in order to defeat or reduce considerably such traffic analysis. 

nie inventive TAT system works with any TDP, and does not depend on 
its details. Various ways to implement a TDP have been discussed in the 
25 literature, and all of tiiem or new ones can be used herein. For instance, for 
traffic-decoupling purposes, the two entities may not forward tiieir recdved 
messages right away; ratiier, tiiey may wait to have received a given number of 
messages and tfien forward fliem all togctiier, or sequentiaUy, but in some 
permuted order. For instance, assume a TAT system has one million users, and 
30 one tiiousand of tiiem actuaUy send a message every hour. Then, if the two 

entities wait (witiiout limitation) up to an hour before sending received messages, 
an enemy who observes their message traffic faces the task of matching some one 
tiiousand messages recdved by tiie first trustee to some one thousand messages 
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sent by said trustee, or, ultimately, by the second trustee. Thus, even if he knows 
all senders and all receivers relative to that hour, he will still be quite uncertain as 
of which matching is right. Indeed, also message-length information can be 
hidden or sufficiently masked. For instance, one may use a standard length (e.g., 
5 by padding short messages with O's), or break longer messages into two or more 
standard ones. 

It can be appreciated that, though the above TAT system works more 
smoothly with public-key encryption systems, such as Ae RSA, it also works with 
conventional cryptosystems as well. One may actually use a mixnire of public- 
10 and private-key encryption. The encryption technique itself can be deterministic 
or, preferably, probabilistic (that is a message is encrypted with the help of a 
random string). 

Digital signatures are preferred so that one obtains an easy proof that the 
sender takes responsibility for her message. Notice that this assumption of 

IS responsibility holds whether the sender signs the message in the clear or an 

encryption C of the message (provided that C can be decrypted in a single manner 
— or, at least, that one cannot find two different decryptions for C). The scheme 
can be made more efficient if messages are one-way hashed prior to signing them. 
Indeed, one may make one-way hashing integral part of signing. 

20 Notice too, that the reference to a "digital signature" should be construed to 

encompass any other type of digital authentication, or any other combination of 
traditional and digital authentication. It may also refer to the situation where the 
message comes from an at least temporarily-dedicated or previously-authenticated 
line, such that the communication is thus sdf-authenticating. Any such 

2S modification is in the scope of the invoition. 

Notice tiiat the preferred embodiment the sender encrypts the message with 
the recipient's key so as to ke^ it private, in particular, firom the trustees 
themselves. However, the sender may not wish to keep such privacy firom the 
trustees (e.g., because they may comprise or consist of secure hardware) and may 

30 not worry about traffic analysis. In this case, the message may be sent in the 

clear (i.e., not encrypted in the redpimt key), may be encrypted with a trustee's 
key, or may be encrypted by the trustees for transmission to each other or to the 
recipient. 
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Although two trustees are recommended, it should be appreciated that more 
trustees can be used if so wanted, though this may slow down the performance of 
the system. If so wanted, one may even use a single trustee, but this single 
trustee may be able to match a sender with her recipient (though it can be 

5 prevented from understanding the sender's message and can keep the sender's 
identity hidden from the recipient, as long as certain special conditions do not 
apply). Actually, if one wishes to implement a single-trustee TAT system, then it 
would be quite advantageous (but not necessarily required) that this trustee 
comprises some secure hardware; that is, a physically-protected devices (e.g., a 

10 chip) that prevents tampering with or reading with its content. In fact, such a 

secure piece of equipment cannot deviate from its prescribed instructions and make 
it easy to divulge -say- the sender's identity. At the same time, such a trustee 
may, when receiving a special type of signal (which can be issued only during a 
proper audit) cooperate in tracing the sender and in taking other possible actions. 

15 It should be appreciated that the system does not require the trustees (or 

trustee) to keep in storage much information about the individual traceable 
anonymous message it helps transmitting. For instance, a trustee need not store 
away the encrypted messages it forward so as to be able to trace their senders if 
the proper envisaged conditions apply. Rather, a trustee preferably keeps only its 

20 secret decryption and/or signature keys, and thus a quantity that is small and 
independent of the various messages. A trustee preferably forwards with the 
(encrypted) message other (encrypted with its own key) tracing information that 
can be used in case of an audit. The audit is preferably requested by the recipient. 
If he does not wish to initiate to request such a procedure, he can disregard the 

25 received tracing (but unintelligible to him) information. Thus, no wasteful storage 
occurs in the preferred embodiment, which makes the TAT system v^ 
convenient and economical. We may, however, with the scope of the invention, 
have one or more of the trustees keep some information in storage for some 
messages sent, at least for a certain amount of time. In this case, the step of 

30 sending information to the recipient may be omitted. 

It should be also noted that, for maximum security and clarity of 
exposition, we make an extensive use of encryption and digital signatures. We 
may however, reduce the use of such tools while still achieving an acceptable level 
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of security. For instance, we may skip encrypting certain messages in the key of 
their immediate recipients, or sign and/or authenticate only some part of the data 
and/or a compressed version of the data. In particular, we may have 

some but not all the trustees sign information about the sender, and we may 
5 arrange so that the cooperation of some and not all trustees is required during an 
audit. 

In the present invention, the terms "sender** and "recipient" should be 
broadly construed to include persons and other entides, as well as devices, 
computers, systems, apparatus and combinations thereof. Thus, for example, a 
10 recipimt may comprise a database and the message may be a request to access 
data therein. In such a case, a ''communications session** may be qu^ying of a 
database and receiving the requested data in response. Of course, the above is 
merely exemplary and there is no requirement that the present invention be 
implemented in any particular application or operating environment. 
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IN THE CLAIMS 

What is claimed is: 

1. A methcxi of communication betwem a sendtt and a recipient with 
the assistance of at least one trustee, wherein the recipient does not know the 

5 identity of the sender, comprising the steps of: 

having the sender send to a trustee a digital signature of information 
identifying the sender and a message encrypted with an encryption key of the 
recipient; 

having a trustee send the recipient the message encrypted with the recipient 
10 key and the sender's signature encrypted with at least a tnistce's encryption key; 
and 

under predetermined circumstances, having a least a trustee take acticm to 

identify the sender. 

2. The method as described in Claim 1, wherein there is exactly one 

15 trustee, and the trustee makes use of secure hardware. 

3. The method as described in Claim 1, wherein there are at least two 
trustees further including the following steps: 

having a trustee receiving data from the sender send data to another trustee; 

and 

20 having the trustee that receives data from the sender be different from the 

trustee that sends the encrypted message to the recipient 

4. The method as described in Claim 3, where at least one trustee must 

take action to identify the sender* 

5. The methods as described in Claims 1, 2, 3 or 4. wherein the 
25 identity of the s«der is provably bound to the message. 

6. The method as described in Claim 5, wherein if the predetermined 
circumstances occur about a given message, then the sender of that message is 
identified whUe keeping secret the identity of the same sender with respea to at 
least some other messages. 

30 7. An electronic communications method between a sender and a 

recipient with the assistance of at least first and second trustees, wherein at least 
one of the sender and recipient does not know that identity of the other party, by: 
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establishing and maintaining an anonymous communications channel 
between the sender and the recipient during a communications session in which 
sender and recipient exchange messages and replies, wherein information is 
provided to the recipient that is guaranteed to be sufficient to trace the identity of 
5 the sender with assistance from at least one trustee and yet does not reveal the 
sender's identity to the recipient without such assistance. 

8. The method as described in Claim 7 wherein at least one trustee 
does not understand the messages and replies exchanged by sender and recipient. 

9. The method as described in Claim 7 or 8 wherein the trustees hold 
10 information that is guaranteed to identify the sender. 

10. The method as described in Claim 9 wherein the trustees do not 
provide such information to the recipient. 

1 1 . The method as described in Claim 7 wherein die first and second 
trustees provide assistance to determine the identity of the sender under 

15 predetennined circumstances. 

12. The method as described in Claim 7 wherein the anonymous 
communications channel includes a communications path between the sender and a 
trustee and a communications path between said trustee and the recipient. 

13. The method as described in Claim 12 wherein the reply is 

20 transmitted backwards from the recipient to the trustee, and from said trustee to 
the sender. 

14. The meUiod as described in Claim 7 wherein at least pan of the 
anonymous commuiucations channel makes use of broadcasting. 

15. A metiiod of enabling a sender to provide a message to a recipient 
25 with the assistance of at least a first trustee, wherein the redpioit does not know 

the identity of the sender, comprising the stq>s of: 

having the sender and the at least the first trustee participate in a 
communications protocol by which information is provided to the recipient, 
wherein tiie information includes the message and data that is sufficient to trace 
30 the identity of the sender yet does not reveal the sender's identity to the recipient; 
and 

having the recipient take action to determine the message. 
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16. The method as described in Claim 15 wherein at least first and 
second trustees are used, and further including the step of having the first and 
second trustees assist in determining the identity of the sender. 

17. The method as described in Claim 16 wherein at least one of the 

5 sender, the recipient and the first and second trustees communicate electronically 
over a communications channel. 

18. The method as described in Claim 17 wherein the communications 
channel is a computer network. 

19. The method as described in Claim 15 further including the step of 
10 having the recipient provide the sender with a reply to the message. 

20. The method as described in Claim 19 wherein the reply is 
guaranteed to be traceable to the message by at least one trustee. 

21. The method as described in Claim 20 wherein the reply cannot be 
understood by the at least one trustee. 

15 22. The method as described in Claim 16 vrtierein the first and second 

trustees are sq)aiate entities. 

23. The method as described in Claim 16 wherein the first and second 
trustees are parts of a single organization. 

24. The method as described in Claim 17 wherein at least some of the 
20 communicatiOTS occur by broadcasting. 

25. The method as described in Claim 15 wherdn at least a trustee 
comprises a secure hardware device. 

26. A medKxl of communication between a sender and a recipient with 
the assistance of at least first and second trustees, wherein the recipimt docs not 

25 know the identity of the sender and each trustee has a key, comprising the steps 
of: 

having ttie sender send the first trustee a digital signature of a string 
identifying the sender and a message encrypted with a recipient key and an address 
of the recipient; 

30 having the first trustee send the second trustee an encryption with its own 

key of the digital signature, the encrypted message and the aicrypted recipient's 
address; 
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having the second trustee send the recipient the encrypted message and 
information that is sufficient to trace the identity of the sender yet does not reveal 
the sender's identity. 

27. The method as described in Claim 26 further including the steps of: 
S having the recipient take action to determine the message. 

28. The method as described in Claim 26 further including the step of 
having at least one trustee take action under given circumstances to determine the 
identity of the sender. 

29. The method as described in Claim 28 wherein at least one trustee 
10 takes action by removing its own encryption layer from a ciphertext encrypting 

information identifying tiie sender. 

30. The method as described in Claim 29 wherdn the sender's digital 
signature reveals the sender's identity in a way that is provable to otiier parties. 

31. The method as described in Claim 26 wherein at least one of the 
IS sender, the recipient and the first and second trustees communicate electronically 

over a communications channel. 

32. The method as described in Claim 31 wherein the communications 
channel is a computer network. 

33. The method as described in Claim 27 further including the step of 
20 having the recipient provide the sender with a reply to the message* 

34. The method as described in Claim 33 wherein the information sent 
by the second trustee to the recipient includes an encryption key and a return 
address encrypted with the key of a trustee to facilitate the reply. 

35. The method as described in Claim 33 wherein the rq>ly is 

25 guaranteed to be traceable to the message and is delivered Atom the recipient to the 
second trustee, from the second trustee to the first trustee, and from the first 
trustee to the sender. 

36. The method as described in Claim 33 whw^in die reply is 
guaranteed to be traceable to the message and is delivered from the recipient to die 

30 first trustee, from the first trustee to the second trustee, and ftom the second 
trustee to the sender. 

37. A method of communication betwe^ a sender and a rccipiwit with 
the assistance of at least first and second trustees, wherein the recipient does not 
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know the identity of the sender and each trustee has a key, comprising the steps 
of: 

having the sender send the first trustee a digital signature of a string 
identifying the sender and an encryption, with the second trustee key. of a 
5 message intended for the recipient and an address of the recipient; 

having the first trustee send the second trustee an encryption with its own 
key of the sender's digital signature and the encryption of the message and the 
recipient's address; 

having the second trustee send the recipient the message and information 
10 that is sufficient to trace the identity of the sender yet does not reveal the sender's 
identity. 

38. The method as described in Claim 27 further including the steps of: 
having at least one trustee take action to identify the sender. 

39. The method as described in Claim 37 wherein message of the sender 
15 also includes a return address encrypted with a trustee key to fadUtate a reply to 

the message. 

40. A method of enabling a sender to provide a message to a recipient 
and the recipient to provide a rq)ly, with the assistance of at least a first trustee, 
whertin the recipient does not know the identity of the saider, comprising the 

20 stq)s of: 

having die srader and the at least first trustee participate in a 
communications protocol by which a first transmission label is provided to tiie first 
trustee and information is provided to the recipient, wh^n tiie information 
includes the message and data that is sufficient to trace the idratity of the sender 
25 yet does not reveal the SMider's identity to the recipient; and 

having the recipient take action to reply to die message by which a second 
transmission label is provided to the first trustee and a reply is provided to die 
sender; 

wherein die second transmission label is obtained by aw)lying a given 
30 linking function to the first transmission label. 

41. The method as described in Claim 40 wherein die first and second 
transmission labels are used to fedlitate billing. 
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42. A method of communicating a message between a fint party and a 
second party with the assistance of at least one trustee^ wherein the second party 
does not know the content of the message or the identity of the first party and the 
trustee contributes action to trace the first party's identity under a predetermined 

S circumstance. 

43. The method as described in Claim 42 wherein the message is 
communicated with the assistance of first and second trustees, and wherein the 
first and second trustees collaborate to trace the first party's identity under the 
predetermined circumstance. 

10 44. The method as described in Claim 43 wherein the first and second 

trustees are part of the same organization. 

45. The method as described in Claim 42 wherein identity of the first 
party is provably bound to the message. 

46. The method as described in Claim 42 wherein if the predetermined 
IS circumstance occurs, the identity of the first party is traced but only with respect 

to the message. 

47. The method as described in Claim 42 wherein the trustee makes use 
of secure hardware. 

48. The method as described in Claim 42 wherein the second party is an 
20 information provider having a database of information and the message includes a 

request to retrieve information from the database. 

49. The method as described in Claim 48 further indicating the step of 
having the second party provide a reply to the message. 

50. The m^od as described in Claim 49 wherdn the rq)ly includes at 
25 least the information requested by the first party. 

51. The method as described in Claim 50 wherein an open 
communication connection is maintained between the first party and the seomd 
party, through at least one trustee, while the message is communicated. 

52. The method as described in Claim 51 wherein the open 

30 communication connection is maintained at least until the reply is sent from the 
second party. 

53. The method as described in Claim 52 wherein the reply travels 
backwards along the open communication connection. 
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54. The method as described in Claim 52 wherein the communication 
occurs in a computer network and the open communication connection is a 
sequence of open computer connections. 

55. The method as described in Claim 54 wherein the first party is 

5 billed for a period of time during which the communication connection is open. 

56. The method as described in Claim 54 wherein die first party is 
billed via the open communication connection. 

57. The method as described in Claim 56 wherein the second party is an 
information provider and the reply is information retrieved from a database. 

10 58. The method as described in Claim 42 wherein the second party is an 

auctioneer and the message is a bid. 

59. The method as described in Claim 58 wherein the first party is a 
successfiil bidder and the predetermined circumstance is an auction award. 

60. The method as described in Claim 49 wherein the reply is 
15 guaranteed to be traceable to the message by at least one trustee. 

61. A method for providing an electronic auction involving an 
auctioneer and at least first and second bidders, comprising die steps of: 

having each of the bidders communicate bidding information to the 
auctioneer in an anonymous manner with the assistance of at least one trustee, 
20 wherrin the auctioneer uses the bidding information to conduct the electronic 
auction; and 

having the trustee contribute action to trace the identity of at least one of 
the bidders upon completim of the electronic aiK:tion. 

62. The method as described in Claim 61 wherein the trustee does not 
25 trace the identity of the otiier bidder. 

63. The mettiod as described in Claim 61 wherein the bidder whose 
identity is traced by the trustee is the winning bidd^. 

64. A method of communicating between a first party and a second 
party with the assistance of at least one trustee, wherein the second party does not 

30 know the identity of the fu^t party, comprising the steps of: 

maintaining an open communications connection betwem the first and 
second parties tiuough the at least one trustee during at least the transmission of a 
message; and 
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having the trustee contribute action to trace the first party's identity under a 
predetermined circumstance. 

65. The method as described in Qaim 64 wherein the open 
communication connection is maintained when a reply to the message is sent Arom 

5 the second party. 

66. The method as described in Claim 65 wherein the reply travels 
backwards along the open communication connection. 

67. The method as described in Claim 65 wherein the communication 
occurs in a computer network and the open communication connection is a 

10 sequence of open computer connections. 

68. The method as described in Claim 65 wh^ein the first party is 
billed for a period of time during which the communication connection is open. 

69. The method as described in Claim 65 wherein the first party is 
billed for the rq>ly via the open communication connection. 

15 70. The method as described in Claim 69 wherein the second party is an 

information provider and the reply is information retrieved from a database, 

71. A method of communicating between a first party and a second 
party with the assistance of at least one trustee by maintaining open a 
communications link between the first and second parties during at least the 

20 transmission of a message and the transmission of a rq)ly to the message, wherein 
the second party does not know the identity of the first party while the 
communications link remains open. 

72. The method as described in Claim 71 further including the step of 
having the trustee contribute action to trace the identity of the first party upon a 

25 predetermined occurrence. 

73. A method of communication between a first party and a second 
party with the assistance of at least one trustee, comprising the stq>s of: 

establishing an open communication connection between the first party and 
the second party via the at least one trustee; and 
30 having the first and second parties exchange messages and replies forwards 

and backwards over the open communication connection without revealing the first 
party's identity to the second party unless a predetermined circumstance occurs. 
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74. A method of communication between a first party and a second 
party with the assistance of at least one trustee, comprising the steps of: 

establishing an open communication connection between the first party and 
the second party via the at least one trustee; and 
5 having the first and second parties exchange messages and replies forwards 

and backwards over the open communication connection without proving the first 
party's identity to the second party unless a predetermined circumstance occurs, 
and wherein the second party does not know a priori the content of the messages 
of the first party. 

10 75. The method as described in Claim 73 or 74 wherein there are at 

least first and second trustees, wherein at least the first trustee does not know the 
identity of the second party and at least the second trustee does not know the 
identity of the first party. 

76. The method as described in Claim 75 wherein at least one of the 
15 two trustees contributes action to trace the first party's identity when the 

predetermined circumstance occurs. 

77. The method as described in Claim 75 wherein the second party is an 
information provider and at least one trustee contributes action to bill the first 
party. 

20 78. The method as described in Claims 1, 7, 15, 26 or 37 wherein the 

sender is a bidder and the recipient is an auctioneer. 
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